Apple is backporting two security patches released on Friday. The updated patches address zero-day vulnerabilities on iPhones, iPads, and Macs.
Details About the Vulnerabilities
The first flaw, tracked as CVE-2023-28206, is an out-of-bounds write issue. This bug may permit threat actors to execute arbitrary code with kernel privileges on unpatched devices using malicious apps.
Apple is aware of a report that this issue may have been actively exploited.
The second zero-day vulnerability, tracked as CVE-2023-28205, is a WebKit use after free. Cybercriminals can leverage it to execute malicious code after the user loads a malicious website page.
Today, Apple addressed the zero-days in iOS 15.7.5 and iPadOS 15.7.5, macOS Monterey 12.6.5, and macOS Big Sur 11.7.6 by improving input validation and memory management.
The following list of devices has reportedly had the issues fixed, according to the tech giant:
- iPhone 6s (all models)
- iPhone 7 (all models)
- iPhone SE (1st generation)
- iPad Air 2
- iPad mini (4th generation)
- iPod touch (7th generation)
- Macs running macOS Monterey and Big Sur
Context for the Flaws
Google’s Threat Analysis Group and Amnesty International’s Security Lab confirmed that the vulnerabilities were exploited in attacks. Researchers warn that these types of flaws are often used by government-backed threat actors to deploy spyware on targets’ devices.
Super proud of our team at @AmnestyTech and everyone who helped in this investigation.
Today, Apple published an emergency update for all iPhones to patch an exploit chain which we, together with @_clem1 (Google TAG) discovered in the wild. pic.twitter.com/KLMYjqi3lK
— Donncha Ó Cearbhaill (@DonnchaC) April 7, 2023
Apple patched another WebKit zero-day (CVE-2023-23529) in mid-February. The hackers used the flaw to trigger crashes and gain code execution on iOS, iPadOS, and macOS devices.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, and YouTube for more cybersecurity news and topics.
If you liked this post, you will enjoy our newsletter.
Get cybersecurity updates you’ll actually want to read directly in your inbox.
